[ratelimits] new type of attack or stuck client?

wolfgang.rupprecht at gmail.com wolfgang.rupprecht at gmail.com
Thu May 23 23:58:09 UTC 2013


Vernon Schryver writes:
> > From: "Wolfgang S. Rupprecht" <wolfgang.rupprecht at gmail.com>
> 
> > Is this an attack or just a stuck client?  Up to this point the only
> > attacks I saw were forged UDP/ANY against domains I'm authoritative for.
> 
> 7 requests/sec  (given 'responses-per-second 5', I assume there were 5
> "consider limiting" log messages before the 2 slips)
> isn't much of an attack even if the responses were 3 KBytes instead
> of practically empty NODATA.

The full logs from this client (requires ipv6 to access):
https://www.wsrcc.com/wolfgang/private/rrl-looping.txt

I probably misunderstood how slip works.  I thought a value of "1"
meant a 1:1 reply with TC.  The incoming query rate was
approx. 166 q/s in the second I counted.  The average was ~44 q/s.

> 877 plus some number of 5 qps responses plus some other number of
> isolated queries over what period?

Over a 20 second period.

> I bet you've got some a too smart by half idiot using your cute name
> dumbcat.snafu.org as some sort of network health beacon.

This may well be a spamming trojan with a few bugs.  dumbcat.snafu.org
has an ipv6-only host record.  It is entirely possible the client
software didn't like not finding an A-record and getting a TC from
dns.

-wolfgang
-- 
g+:  https://plus.google.com/114566345864337108516/about


More information about the ratelimits mailing list